The Economics of Ransomware Attacks on Integrated Supply Chain Networks

Abstract

We explore the economics of ransomware on production supply chains. Integrated supply chains result in a mutual-dependence between firms that can be exploited by cyber-criminals. For instance, we show that by targeting one firm in the network the criminals can potentially hold multiple firms to ransom. Overlapping security systems may also allow the criminals to strike at weak points in the network. For instance, it may be optimal for the attacker to target a supplier in order to ransom a large producer at the heart of the production network. We introduce a game theoretic model of an attack on a supply chain and solve for two types of Nash equilibria. We then study a hub and spoke example before providing simulation results for a general case. We find that the total ransom the criminals can demand is increasing in the average path length of the network. Thus, the ransom is lowest for a hub and spoke network and highest for a line network. Mitigation strategies are discussed.